b'  DEPARTMENT OF HOMELAND SECURITY\n\n           Office of Inspector General\n\n       Information Technology Management\n       Letter for the FY 2005 Customs and\n       Border Protection Balance Sheet Audit\n                       (Redacted)\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n this report for public release. The redactions are identified as (b)(2), comparable to 5\n U.S.C. \xc2\xa7 552 (b)(2). A review under the Freedom of Information Act will be conducted upon\n request.\n\n\n\n\n            Office of Information Technology\n\nOIG-06-41                                                                    June 2006\n\x0c\x0c                        KPMG LLP\n                        2001 M Street, NW\n                        Washington, DC 20036\n\n\nDecember 2, 2005\n\nInspector General\nU.S. Department of Homeland Security\n\nCommissioner\nBureau of Customs and Border Protection\n\nChief Information Officer\nBureau of Customs and Border Protection\n\nWe have audited the consolidated balance sheet of the U.S. Department of Homeland Security\xe2\x80\x99s\nBureau of Customs and Border Protection (CBP) as of September 30, 2005. In planning and\nperforming our audit of CBP\xe2\x80\x99s consolidated balance sheet, we considered CBP\xe2\x80\x99s internal control\nover financial reporting in order to determine our auditing procedures for the purpose of\nexpressing our opinion on the consolidated balance sheet. Audit procedures may not include\nexamining the effectiveness of internal controls and an audit does not provide assurance on\ninternal control. We have not considered internal control since the date of our report.\n\nDuring our audit, we noted certain matters involving internal control and other operational\nmatters with respect to information technology that are summarized in the Information\nTechnology Management Letter starting on page 1. These comments and recommendations, all\nof which have been discussed with the appropriate members of management, are intended to\nimprove internal control or result in other operating efficiencies. These comments are in addition\nto the reportable conditions presented in our Independent Auditors\xe2\x80\x99 Report, dated November 2,\n2005, and represent the separate restricted distribution report mentioned in that report. A\ndescription of each Notice of Findings and Recommendations is provided in Appendix B. We\nhave also included the current status of each prior year Notice of Findings and Recommendations\nin Appendix C. Our comments related to financial management that are in addition to the\nreportable conditions presented in our Independent Auditors\xe2\x80\x99 Report will be reported in the DHS\nconsolidated management letter.\n\nOur audit procedures were designed primarily to enable us to form an opinion on the consolidated\nbalance sheet and therefore may not bring to light all weaknesses in policies and procedures that\nmay exist. We aim, however, to use our knowledge of CBP\xe2\x80\x99s organization gained during our\nwork to make comments and suggestions that we hope will be useful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThis report is intended for the information and use of DHS and CBP management, the DHS\nOffice of Inspector General, the U.S. Office of Management and Budget, the U.S. Congress, and\nthe Government Accountability Office, and is not intended to be and should not be used by\nanyone other than these specified parties.\n\nVery truly yours,\n\n\n   Information Technology Management Letter for the FY 2005 Customs and Border Protection\n                                Financial Statement Audit\n\n                                KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                                a member of KPMG International, a Swiss association.\n\x0c           Department of Homeland Security - Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2005\n\n\n\n\nRobert Todero\nPartner\n\x0c           Department of Homeland Security - Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2005\n\n\n\n              INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                  TABLE OF CONTENTS\n\n\n                                                                                           Page\n\nInformation Technology Objective, Scope and Approach                                        1\n\nSummary of Findings and Recommendations                                                     2\n\nFindings by Audit Area                                                                      2\n\n       Entity-Wide Security Program Planning and Management                                 2\n\n       Access Controls                                                                      3\n\n       Segregation of Duties                                                                5\n\n       Service Continuity                                                                   6\n\n       Application Software Development and Change Controls                                 6\n\n       Management Comments and OIG Evaluation                                               7\n\n\n                                       APPENDICES\n\n\n   Appendix                                     Subject                                    Page\n\n                 Description of Financial Systems and IT Infrastructure within the Scope\n      A                                                                                     8\n                 of the FY 2005 CBP Balance Sheet Audit\n\n       B         FY 2005 CBP Notices of Findings and Recommendations \xe2\x80\x93 IT Detail            10\n\n      C          Status of Prior Year Notices of Findings and Recommendations and\n                                                                                            18\n                 Comparison to Current Year Notice of Findings and Recommendations\n\n      D          Management Response to Draft CBP IT Management Letter                      21\n\x0c             Department of Homeland Security - Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2005\n\n                   INFORMATION TECHNOLOGY\n                 OBJECTIVE, SCOPE AND APPROACH\n KPMG performed a review of CBP\xe2\x80\x99s IT general controls in support of the FY 2005 CBP consolidated\n balance sheet audit. The overall objective of our review was to evaluate the effectiveness of IT\n general controls of CBP\xe2\x80\x99s financial processing environment and related IT infrastructure as necessary\n to support the audit. The Federal Information System Controls Audit Manual (FISCAM), issued by\n the Government Accountability Office (GAO), formed the basis of our review and was supplemented\n by the National Institute of Standards and Technology (NIST) Special Publication 800-53 and\n applicable CBP and DHS policies. The scope of the IT general controls assessment included testing\n at CBP\xe2\x80\x99s Office of Finance and Office of Information Technology.\n\n FISCAM is designed to inform financial auditors about IT controls and related audit concerns to\n assist them in planning their audit work and to integrate the work of auditors with other aspects of the\n financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\n extent of review that generally should be performed when evaluating general controls and the IT\n environment of a federal agency. FISCAM defines the following six control functions to be essential\n to the effective operation of the general IT controls environment.\n\n     \xe2\x80\xa2   Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a\n         framework and continuing cycle of activity for managing risk, developing security policies,\n         assigning responsibilities, and monitoring the adequacy of computer-related security controls.\n     \xe2\x80\xa2   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n         programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n         disclosure.\n     \xe2\x80\xa2   System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n         operate computer hardware.\n     \xe2\x80\xa2   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an\n         organizational structure to prevent one individual from controlling key aspects of computer-\n         related operations, thus deterring unauthorized actions or access to assets or records.\n     \xe2\x80\xa2   Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n         without interruption, or with prompt resumption, when unexpected events occur.\n     \xe2\x80\xa2   Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to\n         prevent the implementation of unauthorized programs or modifications to existing programs.\n\n To complement our general IT controls review, we also performed technical security testing for key\n network and system devices, as well as testing over key financial application controls. The technical\n security testing was performed from within CBP, and was focused on test, development, and\n production devices that directly support CBP financial processing and key general support systems.\n We also tested application controls, which are the structure, policies, and procedures that apply to\n separate, individual application systems, such as accounts payable, inventory, payroll, grants, or\n loans. The application control testing was performed to assess the controls that support the financial\n system\xe2\x80\x99s internal controls over the input, processing, and output of financial data and transactions.\n\n\n\n\n                                                  1\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c              Department of Homeland Security - Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n    SUMMARY OF FINDINGS AND RECOMMENDATIONS\n  During FY 2005, CBP took corrective action to address prior year IT control weaknesses. However,\n  during FY 2005, we continued to find IT general control weaknesses at CBP. The most significant\n  weaknesses from a balance sheet audit perspective related to entity-wide security and access controls.\n  Collectively, the IT control weaknesses limited CBP\xe2\x80\x99s ability to ensure that critical financial and\n  operational data was maintained in such a manner to ensure confidentiality, integrity, and availability.\n  In addition, these weaknesses negatively impacted the internal controls over CBP financial reporting\n  and its operation, and we consider them to collectively represent a material weakness under standards\n  established by the AICPA. The information technology findings were consolidated into one material\n  weakness regarding Financial Systems Functionality and Technology for the FY 2005 audit of the\n  CBP consolidated balance sheet.\n\n  Although we noted improvement, many of the conditions identified at CBP in FY 2004 during our\n  engagement to audit DHS\xe2\x80\x99 consolidated financial statements have not been corrected because CBP\n  still faces challenges related to the merging of numerous IT functions, controls, processes, and overall\n  organizational shortages. During FY 2005, CBP took steps to help address these conditions, such as\n  implementing increased controls over access to sensitive applications functions, improving its IT\n  security program by implementing CBP-wide security training and implementing a new financial\n  management system replacing the legacy mainframe system.\n\n  Despite these improvements, CBP needs further emphasis on the monitoring and enforcement of the\n  policies and procedures through the performance of periodic security control assessments and audits.\n  Further improvements are needed in implementing and enforcing the CBP-wide security certification\n  and accreditation (C&A) program, and technical security control training for system administrators\n  and security officers. Many of the technical issues identified during our review, which were also\n  identified during FY 2004, such as weak system access controls and inconsistent contingency\n  planning, can be addressed through a more effective security C&A program and security training\n  program.\n\nFINDINGS BY AUDIT AREA\n\n  Entity-Wide Security Program Planning and Management\n\n  During FY 2005, CBP improved its level of entity-wide security program planning and management.\n  However, continued efforts are needed, especially in the areas of program management related to the\n  detection and monitoring of technical information security weaknesses. Collectively, the identified\n  entity-wide security planning and management issues, coupled with the access control issues\n  described later in this management letter, reduce the overall effectiveness of the entity-wide security\n  programs for CBP.\n\n  Conditions noted regarding entity-wide security program planning and management at CBP were:\n\n      \xe2\x80\xa2   Security risk assessments were not performed regularly and consistently;\n\n      \xe2\x80\xa2   CBP has not made efforts to evaluate the need for a separate C&A for the applications\n          remaining in the seven business process areas defined in the Administrative Applications\n          C&A;\n\n                                                   2\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c              Department of Homeland Security - Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n     \xe2\x80\xa2   Initial security awareness training for CBP employees and contractors was not completed;\n         and\n\n     \xe2\x80\xa2   Improvements are still needed in CBP\xe2\x80\x99s Incident Handling and Response Capability.\n         Specifically, issues still exist related to incident prevention, response, recovery, and\n         reporting. ---------------- ------------------------------ ---- ---------------- ---------- ---- ---------- ---\n         ------------------------------------------------ ---------------------------- --------------------------------\n         -------------- ----------------- - ------- - ---------------- There is a process in place for tracking\n         incidents. However, process is not consistent and/or complete. Incidents were not included\n         on requested weekly reports and incident documentation was missing.\n\n Recommendations:\n\n Entity-wide security program planning and management controls should be in place to establish a\n framework and continuing cycle of activity to manage security risk, develop security policies, assign\n responsibilities, and monitor the adequacy of computer security related controls. We recommend that\n the CBP Chief Information Officer (CIO), in coordination with the Chief Financial Officer (CFO),\n other CBP functional leaders, and the DHS CIO continue efforts to fully implement a security\n program to ensure that:\n\n     \xe2\x80\xa2   Security risk assessments are regularly completed in a consistent manner per Office of\n         Management and Budget (OMB) and NIST guidance;\n\n     \xe2\x80\xa2   Information security planning efforts more consistently follow Federal guidance (OMB and\n         NIST) specifically regarding the implementation and enforcement of the C&A program and\n         with respect to the applications remaining in the seven business process areas defined in the\n         Administrative Application C&A;\n\n     \xe2\x80\xa2   Management consistently applies the requirements for initial security awareness training for\n         all employees and contractors upon initially establishing LAN/mainframe accounts to CBP\n         information systems; and\n\n     \xe2\x80\xa2   Continue to test and implement a standard real-time automated reporting process whereby\n         information can be generated on all incidents, response, and recovery activities on a regular\n         basis for servers and workstations. Additionally, management should develop a consistent\n         process to respond to system flaw notifications and track reported security incidents.\n\n Access Controls\n\n During FY 2005 we noted significant access control vulnerabilities with -----------------------------\n -------------------------------- These are significant issues because personnel inside the organization\n who best understand the organization\xe2\x80\x99s systems, applications, and business processes were able to\n make unauthorized access to some systems and applications. Some of the identified vulnerable\n devices were used for test and development purposes. In some cases, users were able to access ----\n ------------------------------ with group passwords, system default passwords, or the same passwords\n with which they logged into ------------- ---------. As a result, hackers could target----------\n\n\n\n                                                         3\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c               Department of Homeland Security - Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n ----------- ---- --------- to obtain information (e.g., - -------------------------) to attempt further access into\n CBP\xe2\x80\x99s IT environment.\n\n Conditions noted regarding access controls at CBP were:\n\n     \xe2\x80\xa2    Instances where non-supervisory users had excessive access to sensitive and high-risk\n          -------------------------------------- ---------------------\n\n     \xe2\x80\xa2    Instances within ----- where certain controls could be overridden without supervisory\n          approval;\n\n     \xe2\x80\xa2    Instances where policies and procedures for restricting and monitoring access to CBP\xe2\x80\x99s -----\n          ------------- - - - ------ ----- ----- were not implemented or were inadequate, the ability to\n          monitor security logs did not exist, and separated employees had active accounts in ----- ;\n\n     \xe2\x80\xa2    Instances of missing user passwords ----------------------------------- weak user passwords, and\n          weaknesses in user account management. We also noted several cases where user accounts\n          were not periodically reviewed for appropriateness, including authorizations to use group\n          user accounts and excessive account privileges;\n\n     \xe2\x80\xa2    Instances where legacy point-to-point frame relay connections existed without formal\n          interconnection service agreements (ISA);\n\n     \xe2\x80\xa2    No formal process exited to confirm or enforce compliance with the ----- re-certification\n          process at the field sites;\n\n     \xe2\x80\xa2    Physical access to the -------------------- ---- --------- was not adequately implemented or\n          enforced; and\n\n     \xe2\x80\xa2    Inconsistent authorization and recertification process for virtual private network (VPN) users.\n\n Recommendations:\n\n In close concert with an organization\xe2\x80\x99s entity-wide information security program, access controls for\n general support systems and applications should provide reasonable assurance that computer\n resources such as data files, application programs, and computer-related facilities and equipment are\n protected against unauthorized modification, disclosure, loss, or impairment. Access controls are\n facilitated by an organization\xe2\x80\x99s entity-wide security program. Such controls include physical\n controls, such as keeping computers in locked rooms to limit physical access, and logical controls,\n such as security software programs designed to prevent or detect unauthorized access to sensitive\n files. Inadequate access controls diminish the reliability of computerized data and increase the risk of\n destruction or inappropriate disclosure of information.\n\n We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders:\n\n     \xe2\x80\xa2   Ensure that the assignment of sensitive functions and high-risk combinations of functions to\n         non-supervisory users is based on a documented business need and approved by a supervisory\n\n\n\n                                                       4\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c             Department of Homeland Security - Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2005\n\n        official. Exceptions from the guidance provided in the memorandum should be formally\n        approved and documented.\n\n    \xe2\x80\xa2   Develop a process to mitigate the systemic ----- weakness where certain controls can be\n        overridden without supervisory approval.\n\n    \xe2\x80\xa2   Implement and enforce a password account management process to ensure the periodic\n        review of user accounts. Develop a formal centralized process for tracking the termination of\n        employee and contract personnel and coordinate the deactivation of all systems access of\n        terminated employees and contractors immediately upon separation from CBP. Design and\n        implement an entity-wide security configuration process to enforce the guideline of least\n        privilege system access and the monitoring of security logs ----------\n\n    \xe2\x80\xa2   Implement a formal vulnerability assessment process whereby systems are periodically\n        reviewed for security weaknesses and ensure that password controls meet DHS and CBP\n        password requirements on all systems;\n\n    \xe2\x80\xa2   Complete efforts to identify all connections with the ------ and formally establish ISAs with\n        these entities;\n\n    \xe2\x80\xa2   Formalize the process to confirm or enforce compliance with the ------------ ----- ---------------\n        ------------------ and formally document the verification of -------------------------------------\n\n    \xe2\x80\xa2   Perform a formal review of all personnel that have access to ---- ---------------- determine those\n        that do not have a formal user access form in place. Confirm that current personnel with -----\n        ----------------- actually need this access to perform their job functions and remove those who\n        do not. Additionally, establish a formal authorized user access form for each person\n        identified; and\n\n    \xe2\x80\xa2   Continue to use the official authorization form for new VPN users, formally re-certify all\n        VPN employee accounts on a periodic basis and document results.\n\n Segregation of Duties\n\n During FY 2005, we continued to note instances where an individual controlled more than one critical\n function within a process, increasing the risk that erroneous or fraudulent transactions could be\n processed, improper program changes could be implemented, and computer resources could be\n damaged or destroyed, without detection. Additionally, we noted a lack of segregation of duties\n among major operating and programming activities, including duties performed by users, application\n programmers, and data center staff.\n\n Conditions noted regarding segregation of duties at CBP were:\n\n    \xe2\x80\xa2   Instances where individuals were able to perform incompatible functions, such as the\n        changing, testing, and implementation of software, without sufficient compensating controls\n        in place; and\n\n\n\n\n                                                  5\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c             Department of Homeland Security - Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2005\n\n    \xe2\x80\xa2    Instances where key security positions were not defined or assigned, and descriptions of\n         positions were not documented or updated.\n\n Recommendations:\n\n We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders,\n ensure that:\n\n    \xe2\x80\xa2    Responsibilities are documented so that incompatible duties are consistently separated. If this\n         is not feasible given the smaller size of certain functions, then sufficient compensating\n         controls, such as periodic peer reviews, should be implemented; and\n\n    \xe2\x80\xa2    Policies and procedures are developed and documented to assign key security positions and\n         maintain current position descriptions.\n\n Service Continuity\n\n During FY 2005 we noted that CBP took some corrective actions to address IT control issues related\n to the back-up and protection of critical system data. Despite these improvements, a weakness related\n to disaster recovery plans and business continuity plans continued to exist. Service continuity is\n important because losing the capability to process, retrieve, and protect information maintained\n electronically can significantly affect an agency\xe2\x80\x99s ability to accomplish its mission.\n\n The condition noted regarding service continuity at CBP was:\n\n     \xe2\x80\xa2   An incomplete and outdated alternate processing site agreement regarding specifics related to\n         the identified equipment and priority service requirements.\n\n Recommendation:\n\n We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders:\n\n    \xe2\x80\xa2    Formally update the alternate processing site agreement to accurately reflect the current\n         hardware and support that will be required of the alternate processing site vendor in the event\n         of an emergency.\n\n Application Software Development and Change Control\n\n During FY 2005 we noted that CBP took corrective actions to address IT control issues related to\n application software changes. However, we noted that in some cases the application software change\n control documentation was still not consistent with CBP guidance.\n\n Conditions noted regarding configuration management and change control at CBP were:\n\n     \xe2\x80\xa2   Instances where ----- application developers were found with access to the production\n         environment;\n\n\n\n\n                                                 6\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n        \xe2\x80\xa2   Instances where ----- codes were not configured to the \xe2\x80\x9cProductive\xe2\x80\x9d setting, allowing users\n            with "mass deletion/change" access to transactional data; and\n\n        \xe2\x80\xa2   Instances where changes to-------were not always documented.\n\n    Recommendations:\n\n    We recommend that the CBP CIO, in coordination with the CFO and other CBP functional leaders:\n\n       \xe2\x80\xa2    Develop and employ a formally documented process for granting ------------- normal and\n            emergency access to the production environment;\n\n       \xe2\x80\xa2    Perform a formal analysis of the new ----- system\xe2\x80\x99s configurations to determine the\n            appropriate settings to prevent users from accidentally or purposely deleting or altering\n            transactional data. Based on this analysis, the system should be configured accordingly; and\n\n       \xe2\x80\xa2    Formally document test plans, test cases, and test results for all ----- changes and formally\n            document business and customer impact analyses for ----- change requests.\n\n\n\nMANAGEMENT COMMENTS AND OIG EVALUATION\n\nWe obtained written comments on a draft of this report from the CBP CIO. Generally, the CBP CIO\nagreed with all of the report\xe2\x80\x99s findings and recommendations. We have incorporated the comments\nwhere appropriate and included a copy of the comments in their entirety at Appendix D.\n\nIn his response, the CBP CIO stated that CBP is:\n\n        \xe2\x80\xa2   Taking steps to ensure that entity-wide security program planning and management\n            controls are in place to establish a framework and continuing cycle of activity to manage\n            security risk;\n        \xe2\x80\xa2   Working to ensure that the assignment of sensitive functions is legitimate, that the\n            weaknesses that can lead to a control override in certain systems is mitigated, and that\n            physical and electronic access to sensitive CBP systems is secured and carefully monitored;\n        \xe2\x80\xa2   Continuing to develop applicable policies and procedures to ensure that certain duties are\n            separated, as necessary and to monitor user roles and new user or access requests to prevent\n            future segregation of duty conflicts;\n        \xe2\x80\xa2   Working to ensure that the --------------- - ----------------- Continuity of Operations Plan\n            (COOP) is as current as possible, and that the alternate processing site has the hardware and\n            support necessary to continue operations in the event of an emergency; and\n        \xe2\x80\xa2   Ensuring that proper separation of roles between the development and production\n            environments are established.\n\n\nOIG Response\n\nWe agree with the steps that CBP is taking to satisfy these recommendations.\n\n                                                     7\n  Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                         Statement Audit\n\x0c                                                                                     Appendix A\n\n                   United States Bureau of Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n\n\n                                       Appendix A\n\nDescription of Financial Systems and IT Infrastructure within the\n         Scope of the FY 2005 CBP Balance Sheet Audit\n\n\n\n\n                                               8\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                                     Appendix A\n\n                      United States Bureau of Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n\n  Below is a description of significant CBP financial management systems and supporting IT\n  infrastructure included in the scope of the September 30, 2005 CBP consolidated balance sheet\n  audit.\n\n  Locations of Review: ---------------------------------------------------------------------- ------------------\n  --------------------------------------------------------------- .\n\n  Systems Subject to Review:\n\n  \xe2\x80\xa2   ------------------------------- ---------------- ---------- --------was decommissioned in FY 2005 and\n      replaced by ----- . It was CBP\'s IBM --- ----- -- - -based financial management system that\n      supported primary financial accounting and reporting processes, and a number of additional\n      subsystems for specific operational and administrative management functions. The core system\n      consisted of general ledger, accounts receivable, disbursements/payables, purchasing, and\n      budget execution modules. ------- was hosted on a customized version of-------------\n      ------------- ----------- - ------------- ------------------------ ----- --------\n\n  \xe2\x80\xa2   ---------- \xe2\x80\x93 ----- is a client/server-based financial management system that was implemented\n      beginning in FY 2004 to ultimately replace the ------- -------------------------------- --- ----- ------ -\n      using a phased approach. The---------------------------- -- - ----- ------ was implemented and\n      utilized in FY 2004. Other --------------- were implemented in FY 2005.\n\n  \xe2\x80\xa2   --------------- - ---------------------------- -------- is a collection of mainframe-based applications\n      used to track, control, and process all commercial goods, conveyances and private aircraft\n      entering the United States territory, for the purpose of collecting import duties, fees, and taxes\n      owed the Federal government.\n\n  \xe2\x80\xa2   ---------------- ------------------------------------------------ \xe2\x80\x93 Used for tracking seized assets,\n      Customs Forfeiture Fund, and fines & penalties.\n\n\n\n\n                                                       9\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                     Appendix B\n\n             Department of Homeland Security - Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2005\n\n\n\n\n                                       Appendix B\n\n                            FY 2005 CBP\n        Notices of Findings and Recommendations \xe2\x80\x93 IT Detail\n\n\n\n\n                                              10\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                                               Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n               FY 2005 CBP Notices of Findings and Recommendations \xe2\x80\x93 IT Detail\n\n\n   NFR #                            Condition                                               Recommendation\n                                                                          Coordinate with each field office that has a\n                                                                          segregation of duties conflict to either (1) correct\n                                                                          the problem by removing the conflicting roles, or\n               A number of - --- IDs had a segregation of\nCBP-IT-05-01                                                              (2) sign a waiver to accept responsibility for issues\n               duties conflict.\n                                                                          arising from the segregation of duties conflict.\n                                                                          Continue to prevent new IDs with a segregation of\n                                                                          duties conflict from being created.\n                                                                          Remove unnecessary privileges and/or accounts\n                                                                          given the exceptions we noted related to the\n                                                                          authorities/functions granted to certain ------\n               Three ------------------------ --------------- --- -----   ----------- Accesses granted should be based on the\n               ----------------------------------- - --- - -----          least privilege concept to the minimum number of\n               --- ---- - --- ---- - ) to specify security modes for      personnel with a defined and documented need.\n               individual users without a justified business\n               need.                                                      As an alternate means of providing availability to\n                                                                          functions not used on a regular basis, continue\nCBP-IT-05-02\n               Two----------------------- ----with ---------- ------      implementation of a --------------- -- ------------------\n               had full security administration privileges,               ---- -------- for use by authorized individuals during\n               which violated separation of duties principles.            pre-determined circumstances. Establishment of a\n                                                                          \xe2\x80\x98------------------ would enable the removal of\n               One ----- account had not been utilized since              privileges from individuals who do not regularly\n               August 6, 2004.                                            require such access. ---------- -------- are controlled\n                                                                          through the use of a hardcopy log, secure storage of\n                                                                          passwords, auditing of all --------- --------activities\n                                                                          and suspension after each use.\n               After the re-organization of the Office of\n               Information Technology (OIT), security\n               administration functions at the-- ---- including           Ensure that security administration functions\n               mainframe security, network security, and                  remain independent of operations. In order to\nCBP-IT-05-03   incident response, were not independent of the             maintain independence, the security administration\n               operations function. Rather, the Security                  function should not report to operations\n               Operations Center reported to Technology                   management.\n               Operations, which was not an independent\n               security function.\n                                                                          Develop a process to mitigate the systemic ------\n                                                                          weakness that certain controls can be overridden\n               Due to the design of ------ certain controls\n                                                                          without supervisory approval. Considering the\n               could be overridden without supervisory\n                                                                          number of years necessary to fully replace ------\n               approval. Management plans to implement\n                                                                          functionality with ------- this process should be\n               functionality in the --- - --- --- -- - ------------\nCBP-IT-05-04                                                              designed in a manner to ensure supervisory review\n               ---- ---- ---- ---------- to prevent the override\n                                                                          of ------ overrides while maintaining a minimal\n               capability. KPMG noted that although ------\n                                                                          burden on management. CBP should ensure that\n               will eventually replace ------- ------ will not be\n                                                                          the new ------ system has the appropriate\n               implemented in FY 2005.\n                                                                          requirements for such controls and that these\n                                                                          controls are applied prior to implementation.\nCBP-IT-05-05   Formal procedures for granting access to                   Formally establish a process for granting -----\n\n                                                              11\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                           Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n   NFR #                           Condition                                          Recommendation\n               sensitive ------technical team member roles        access to sensitive technical team roles (e.g. basis\n               have not been developed.                           and security team members) and consistently apply\n                                                                  these processes. The procedures should include\n                                                                  requirements for documenting the authorization\n                                                                  request and include the exact roles that should be\n                                                                  granted. Additionally, the procedures should\n                                                                  require a periodic documented recertification of the\n                                                                  user roles within-------\n               The ---------contingency plan has not been\n               updated with the results of the FY 2004\n               continuity of operations plan (COOP) tests.\n               Additionally, the COOP has not undergone the\n                                                                  Update the -------- COOP with the most recent test\n               annual re-evaluation as required. Also,\n                                                                  results. Additionally, re-evaluate the COOP for\n               implementation of the new financial\nCBP-IT-05-06                                                      overall contingency planning procedures on an\n               management system changed the mainframe\n                                                                  annual basis, especially in the event of a major\n               environment to a client-server based -----\n                                                                  system change or upgrade, such as --- --\n               environment. However, the plan has not been\n               updated and, therefore, might contain outdated\n               and improper contingency procedures for\n               information systems and data.\n                                                                  Consistently apply the requirements for initial\n               The requirement for initial security awareness\n                                                                  security awareness training for all employees and\nCBP-IT-05-08   training for employees and contractors was not\n                                                                  contractors upon initially establishing\n               consistently applied.\n                                                                  LAN/mainframe accounts to information systems.\n                                                                  Coordinate with DHS in developing enterprise-\n                                                                  wide solutions for improving network and host-\n                                                                  based system configuration design(s) to reduce the\n                                                                  risks of compromise.\n\n                                                                  Consider use of system administrator level security\n                                                                  management monitoring tools to detect and correct\n                                                                  security deficiencies in preventing possible\n                                                                  intrusions. Use of such tools should include a\n                                                                  planned \xe2\x80\x9cprioritized\xe2\x80\x9d schedule for checking all\n                                                                  servers.\n               Improvements were still needed in security\n               controls affecting ----- ---- - -- ---- --------\nCBP-IT-05-09                                                      Proceed with the implementation of -- -------\n               management and staff\xe2\x80\x99s system access to\n                                                                  -------------------- ----------- ------- ------------\n               applications and data.\n                                                                  ----- ---------- - ---- - ---\n\n                                                                  Provide and approve more robust standards for\n                                                                  -- - - - --- --- -- ---- - ----- - --- - --- -- for a standard\n                                                                  and sustainable baseline set of system management\n                                                                  security controls.\n\n                                                                  Consider development of a compliance-level policy\n                                                                  that provides for adherence to agency password\n                                                                  management policies. This policy should be\n                                                                  developed at ------- --- -- --- - -- -------- - where\n\n\n                                                            12\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                          Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n   NFR #                          Condition                                            Recommendation\n                                                                     local system administrators and help desk staff may\n                                                                     apply such policies (e.g., changing password age,\n                                                                     account lockout, password uniqueness, password\n                                                                     length, etc.).\n\n                                                                     For -------- ----- ----------- -----------------------\n                                                                     review, justify, and ensure that the level of access is\n                                                                     based on strict adherence to least privilege\n                                                                     principles where the absolute minimum level\n                                                                     necessary is applied. As CBP moves with DHS\n                                                                     toward more technology efficient enterprise-wide\n                                                                     solutions (e.g., centralized means of managing\n                                                                     network assets), the ability to reduce current levels\n                                                                     will be enhanced.\n                                                                     Continue to review the audit logs daily and\n                                                                     maintain documented evidence.\n               ----- security audit log reviews were not\nCBP-IT-05-10\n               evidenced for the majority of FY 2005.                Train backup personnel to perform this task in the\n                                                                     event that the primary personnel performing this\n                                                                     task are not available.\n               ----- administrator staff have not documented         Complete efforts to identify ---------- -- -- - - ------\n               ISAs for all entities that connect with the ----- .   connections that are considered \xe2\x80\x9clegacy\xe2\x80\x9d\n               Although there was ---- - -- ---------------------    connections and formally establish ISAs with these\n               ------------ - -- -- of all partners that have an     entities.\nCBP-IT-05-11\n               ISA with CBP, this database failed to capture\n               all connections with ------ The majority of           Complete efforts to identify all connections with\n               financial institutions connected to ------ have       the ------ and formally establish ISAs with these\n               not formally established ISAs.                        entities.\n               The \xe2\x80\x9cequipment\xe2\x80\x9d and \xe2\x80\x9cpriority of service\xe2\x80\x9d             Formally update the alternate processing site\n               requirements have not been annually updated.          agreement to accurately reflect the current hardware\nCBP-IT-05-12   As a result, the agreement was outdated and did       and support that will be required of the alternate\n               not reflect the current operating environment at      processing site vendor in the event of an\n               -------                                               emergency.\n               No formal process existed to confirm or enforce\n               compliance with the ---------------------- -\n               ----------------------------- Although field site     Formalize the process to confirm or enforce\n               administrators were trained to perform the re-        compliance with the ---------------------- - - --------at\nCBP-IT-05-13\n               certifications every six months, there was no         the field sites and formally document the\n               management oversight to ensure that the field         verification of field site ---------------------- ---\n               site administrators were performing the re-\n               certifications.\n                                                                     Perform a formal review of all personnel who have\n               Procedures have not been adequately                   access to the --------- ---------- - - to determine those\n               implemented for restricting access to the data        who do not have a formal user access form in place.\n               center located in ------ --- Specifically, nineteen   Establish a formally authorized user access form for\nCBP-IT-05-14\n               out of thirty-two individuals selected did not        each person identified.\n               have proper authorizations documented for\n               access to the data center.                            Confirm that current personnel with data center\n                                                                     access actually need this access to perform their job\n\n\n                                                           13\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                                 Appendix B\n\n                  Department of Homeland Security - Customs and Border Protection\n                              Information Technology Management Letter\n                                         September 30, 2005\n\n   NFR #                               Condition                                               Recommendation\n                                                                              functions.\n\n                                                                              Promptly remove physical access rights to the ------\n                                                                              facility when an employee is terminated, thus,\n                                                                              restricting access to the data center.\n                                                                              Develop a formally documented process for\n                                                                              granting normal and emergency access for\n               ------------------- had access to the production               ------ ---- -- to the-- --- production environment.\nCBP-IT-05-15\n               environment.                                                   The access request and authorization should include\n                                                                              specific justification for their access and be\n                                                                              documented and retained.\n               Improvements were still needed in CBP\xe2\x80\x99s\n               Incident Handling and Response Capability.\n               Specifically, issues still exist related to incident\n               prevention, response, recovery, and reporting.\n\n               --- ---- - - --------------- ------------ - - ------ -\n               - - --- - ---- ------------------------ -- ------ ------\n               -- ----------- ------ - - - - --- -------- -------- - --\n                                                                              Develop a process to identify the workstations that\n               ------ ---------------- -------------- -------- ---- ----\n                                                                              have yet to install the ----- ------- -\n               ------------ - -------- - - - ------- - - ------------ - - -\n               --------\n                                                                              Continue to test and implement a standard real-time\n                                                                              automated reporting process whereby information\n               A formal automated reporting capability does\n                                                                              can be generated on all incidents, response, and\nCBP-IT-05-16   not exist to report, in a timely manner, on the\n                                                                              recovery activities on a regular basis for servers and\n               servers and workstations with identified\n                                                                              workstations.\n               vulnerabilities, the number that have been\n               patched, and the number of servers that remain\n                                                                              Develop a consistent process to respond to system\n               vulnerable.\n                                                                              flaw notifications and track reported security\n                                                                              incidents.\n               There is a process in place for tracking\n               incidents. However, the weekly incident report\n               process is not consistent and/or complete.\n               Incidents were not included on requested\n               weekly reports and incident documentation was\n               missing. Sample information or evidence was\n               not available for system flaw notifications.\n\n                                                                              Perform a formal analysis of the company code\n                                                                              setting to determine if it should be set to\n               ------was not configured to indicate a company\nCBP-IT-05-17                                                                  \xe2\x80\x9cproductive.\xe2\x80\x9d This will prevent users with "mass\n               code setting of \xe2\x80\x9cproductive.\xe2\x80\x9d\n                                                                              deletion/change" access the ability to accidentally\n                                                                              or purposely delete transactional data.\n                                                                              Ensure that the assignment of sensitive functions\n                                                                              and high-risk combinations of functions to non-\n               An excessive number of users had access to\n                                                                              supervisory users is based on a documented\nCBP-IT-05-18   sensitive ------- unctions and high-risk\n                                                                              business need and approved by a supervisory\n               combinations of functions.\n                                                                              official. Exceptions from the guidance provided in\n                                                                              the memorandum should be formally approved and\n\n\n                                                                   14\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                        Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n   NFR #                          Condition                                          Recommendation\n                                                                   documented.\n                                                                   Determine whether the potential matches are actual\n                                                                   matches. Delete the accounts of any confirmed\n                                                                   terminated employees.\n               A number of separated employees\xe2\x80\x99 names\nCBP-IT-05-19                                                       Continue to use the payroll feed to determine if a\n               appeared on the ----- active user access listing.\n                                                                   ----- user has terminated employment.\n\n                                                                   Disable user accounts of separated employees and\n                                                                   contractors as stated in CBP and NIST guidance.\n               No process existed to formally document test\n               plans, test cases, and test results for -----       Formally document test plans, test cases, and test\n               security and configuration changes.                 results for all - --- changes.\nCBP-IT-05-20\n               The ----- Change Control Board was not              Formally document business and customer impact\n               performing formal business and customer             analyses for ------change requests.\n               impact analyses for ------change requests.\n               Logging of critical tables within ----- has not\n               been activated.                                     Perform a formally documented assessment of the\n                                                                   tables that should be logged by ------\nCBP-IT-05-21   A formal analysis of the tables that should be\n               logged in the-- ---- environment has not been       Complete the implementation of table logging\n               performed, solely relying on recommendations        within ------\n               of a previous audit.\n               A certification and accreditation package for all\n               components of the ------ LAN has not been\n               completed. Specifically, a security control         Complete a security control assessment for all ------\nCBP-IT-05-22   assessment was not conducted for the ------         LAN components and complete a risk assessment\n               LAN as a whole within the last year. Also, a        for all -------LAN components.\n               formal risk assessment was not conducted for\n               all ------ LAN components.\n                                                                   Using federal guidelines outlining what constitutes\n                                                                   a major application, consider reviewing the\n                                                                   sensitivity of applications classified as part of-------\n                                                                   administrative systems separately to determine\n               NIST 800-26 assessments for the seven               which applications warrant individual C&As as\n               business areas within the seven Administrative      major applications, and which applications should\n               Applications have not been completed. No            remain as part of the current Administrative C&A\n               efforts have been made to evaluate the need for     process. Based on results of the sensitivity review,\n               a separate C&A for the applications remaining       perform separate C&As, where appropriate.\nCBP-IT-05-23\n               in the seven business process areas defined in\n               the Administrative Applications C&A. Also,          In accepting risks associated with ----- , consider\n               additional improvements in consolidated             establishing a relationship of identified risks to\n               guidance were necessary to address the issue of     defined security requirements in ----- . This will\n               linking risks/threats to requirements.              assist in understanding what risks are mitigated by\n                                                                   existing controls and what residual risks remain that\n                                                                   management is willing to accept.\n\n                                                                   Given that the ------ deployment may not be\n\n\n                                                         15\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                               Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n   NFR #                          Condition                                             Recommendation\n                                                                   completed by the end of the current -----\n                                                                   certification period, incorporate a risk-based\n                                                                   approach for any re-certification efforts performed,\n                                                                   where threats identified are tied to security\n                                                                   requirements and mitigating controls.\n\n                                                                   Consider development of definitive guidance for\n                                                                   risk assessments and security plan criteria. These\n                                                                   criteria should be applied to tie identified risks and\n                                                                   threats to security requirements and controls that\n                                                                   mitigate risks to acceptable levels. This will allow\n                                                                   for the adequate tracking and evaluation of risks\n                                                                   and requirements throughout a system\xe2\x80\x99s lifecycle.\n                                                                   Therefore, management should be able to\n                                                                   definitively recognize what acceptable risks remain.\n               A centralized listing of separated contract         Develop a formal centralized process for tracking\n               personnel was not maintained. The only              the termination of contract personnel.\n               method employed to track terminated\n               contractors was the use of a report of users that   Deactivate all systems access for terminated\n               had their mainframe account deleted. This list      contractors immediately upon separation.\nCBP-IT-05-24\n               was not representative of all terminated\n               contractors since terminated contract personnel     Periodically distribute a listing of terminated\n               might not have had mainframe access or their        contract personnel to information system\n               access might not have been removed after their      administrators so they remove user access and\n               termination.                                        periodically assess contractor access to systems.\n                                                                   Modify the setting on the ------- --------- ---- ---\n               The mainframe disconnected idle sessions after      -------------------- ----------- - ----- - to disconnect idle\n               30 minutes of inactivity rather than the            sessions as specified by agency policy or ensure the\n               prescribed 20 minutes of inactivity noted in the    policy is accurate. (Note: ------------- - ---------------\nCBP-IT-05-25\n               U.S. Customs and Border Protection,                 -- - ------ - - -- -- - ------------ -- -- - - ----- - ------ ----\n               Information Systems Security Policies and           -- - - ------ ----------------- - - --- - --- ----------- -- --- --\n               Procedures Handbook.                                -- - ----- ------- --- ---- ------- - ---- - - --- ---- -----\n                                                                   ------- ---- ------- ----- ----\n               ----- did not have an automated mechanism to\n               detect and deactivate users that had not logged     Continue to review and deactivate inactive accounts\n               on for 90 days. Procedures to perform a             on a monthly basis.\nCBP-IT-05-26   monthly review for inactive accounts in July\n               2005 were implemented. However, for                 Implement an automated mechanism to detect and\n               majority of FY 2005, this procedure was not in      deactivate inactive accounts.\n               place.\n               The formal process to grant VPN access using\n               an authorization form was recently\n               implemented. However, VPN access                    Continue to use the official authorization form for\nCBP-IT-05-27   authorization forms were not available for the      new VPN users. Re-certify all VPN employee\n               majority of employees selected. Also, VPN           accounts on a periodic basis and document results.\n               employee accounts were not periodically re-\n               certified.\n               Action has not been taken to address the prior-     Re-certify users with access - ------- ---- ------------\nCBP-IT-05-28\n               year issue that users with access to-- -----        and document the evidence of the re-certification.\n\n\n                                                         16\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                                                    Appendix B\n\n                 Department of Homeland Security - Customs and Border Protection\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n   NFR #                             Condition                                                 Recommendation\n               ------------------ --------- --- ----- ----- may be\n               excessive.\n               In FY 2004, issues with access to ----- - -- -----\n               -- --- - ------- ------- -- -- ------- Some profiles\n               with access to modify the ------------------ - -\n               - - ------- -- represented a segregation of duties\n                                                                           Document that access to the -------- ------- - --------\n               conflict.\n                                                                            - -- ---(or equivalent) is properly segregated. This\nCBP-IT-05-29                                                               includes a review -- --- - - - ---- - --- - - - - -- - access\n               In FY 2005, --------was replaced by --- --\n                                                                           to determine if the current granted access is\n               KPMG attempted to determine whether the\n                                                                           appropriate.\n               same issue existed in ------ Information\n               regarding whether --- -- -- ---- ---- - --- - - - - -- --\n               (or equivalent) were appropriately segregated\n               could not be provided.\n               Action has not been taken to address the prior-\n                                                                           Re-certify users with access to - - ------ -----------\n               year finding that the number of users with\nCBP-IT-05-30                                                               Recovery, and Backup datasets. Document the\n               access to--------------------- , Recovery, and\n                                                                           evidence of the re-certification.\n               Backup datasets may be excessive.\n               As part of the Common Local Area Network\n               (LAN) Operating Environment (CLOE) type\n               accreditation to perform formal risk\n               assessments, ---- LANs dispersed across many\n               field sites were not to be visited. As a result,\n               management asserted that they were requiring\n                                                                           Continue to develop a formal process to ensure that\n               each field site on the \xe2\x80\x98non-recommended\xe2\x80\x99\nCBP-IT-05-31                                                               all non-recommended field sites submit a NIST\n               listing to submit a formal NIST 800-26\n                                                                           800-26 LAN self-assessment in a timely manner.\n               assessment for their LAN. Based on this, a\n               sample of 15 field sites were selected from the\n               non-recommended field site listing and we\n               requested evidence of the NIST 800-26 review\n               of their LAN. In a sample of 15 field sites,\n               three site assessments were not provided.\n\n\n\n\n                                                                17\n    Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                           Statement Audit\n\x0c                                                                                    Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n\n\n                                       Appendix C\n\n Status of Prior Year Notices of Findings and Recommendations\n                      And Comparison To\n    Current Year Notices of Findings and Recommendations\n\n\n\n\n                                              18\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                                   Appendix C\n\n                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2005\n\n\n\n                   Status of Prior Year Notices of Findings and Recommendations\n                                        And Comparison To\n                      Current Year Notices of Findings and Recommendations\n\n\n\n        Ref                                    Condition                                       Status\n\n                         Inconsistent ----------- ------ -------                   Issue noted in FY 2005. See\n   CBP-IT-04-01          ----- ----------- to include excessive access to          NFRs CBP-IT-05-02 and CBP-\n                         high-level functions                                      IT-05-03.\n\n                         Inconsistent application certification and\n                         accreditation for all applications in the seven           Issue noted in FY 2005. See\n   CBP-IT-04-02\n                         business process areas defined as Administrative          NFR CBP-IT-05-23.\n                         Applications\n\n                         Continuity of critical ---------- -------\n                                                                                   This condition has been\n   CBP-IT-04-03          operational functions is in question at CBP\n                                                                                   corrected.\n                         alternate processing site\n\n                         Excessive assignment of ----- sensitive                   Issue noted in FY 2005. See\n   CBP-IT-04-04\n                         functions and high-risk combinations                      NFR CBP-IT-05-18.\n\n                         Controls in ------ can be overridden without              Issue noted in FY 2005. See\n   CBP-IT-04-05\n                         supervisory approval                                      NFR CBP-IT-05-04.\n\n                         Excessive access to ------ ---------------- - ------ --   This condition has been\n   CBP-IT-04-06\n                         -- --------------- ---- --- -----                         corrected.\n\n                         Inconsistent field site security program                  Issue noted in FY 2005. See\n   CBP-IT-04-07\n                         management                                                NFR CBP-IT-05-31.\n\n                         Weaknesses identified in system logical access            Issue noted in FY 2005. See\n   CBP-IT-04-08\n                         controls over network assets                              NFR CBP-IT-05-09.\n\n                                                                                   Issue noted in FY 2005. See\n   CBP-IT-04-09          Excessive access to ----- - vendor/bank tables\n                                                                                   NFR CBP-IT-05-29.\n\n                         Incomplete interconnection security agreements            Issue noted in FY 2005. See\n   CBP-IT-04-10\n                         (ISAs)                                                    NFR CBP-IT-05-11.\n\n                         Inconsistent and incomplete ----------------------        This condition has been\n   CBP-IT-04-11\n                         risk assessment                                           corrected.\n\n                         Weaknesses identified in CBP\xe2\x80\x99s on-line                    Issue noted in FY 2005. See\n   CBP-IT-04-12\n                         Transaction Processing System Security ---------          NFR CBP-IT-05-28.\n\n\n                                                    19\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                             Appendix C\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n        Ref                                  Condition                                   Status\n\n                         Weaknesses in----------------- ------ Segregation   Issue noted in FY 2005. See\n   CBP-IT-04-13\n                         of Duties                                           NFR CBP-IT-05-01.\n\n                         Weaknesses exist in CBP\xe2\x80\x99s Incident Response\n                         Capability, specifically related to Detection and   Issue noted in FY 2005. See\n   CBP-IT-04-14\n                         Incident Initiation; Response and Recovery; and     NFR CBP-IT-05-16.\n                         Incident Server Patch Management Reporting.\n\n                         Inconsistent review of - ------ ----- -------       This condition has been\n   CBP-IT-04-15\n                         logging documentation                               corrected.\n\n                         ----- Materials Management access control\n                                                                             Issue noted in FY 2005. See\n   CBP-IT-04-16          weakness regarding inconsistently documented\n                                                                             NFR CBP-IT-05-05.\n                         authorizations\n\n                         ----- General Controls Environment for\n                         Materials Management Module: System access,         Issue noted in FY 2005. See\n   CBP-IT-04-17\n                         user account management, and configuration          NFR CBP-IT-05-09.\n                         weaknesses identified\n\n                         Inconsistent use of least privilege principles\n                                                                             Issue noted in FY 2005. See\n   CBP-IT-04-18          regarding Mainframe User Groups\xe2\x80\x99 access to\n                                                                             NFR CBP-IT-05-30.\n                         sensitive datasets/utilities\n\n\n\n\n                                                   20\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                    Appendix D\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n\n\n                                       Appendix D\n\n   Management Response to Draft CBP IT Management Letter\n\n\n\n\n                                              21\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                    Appendix D\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n\n\n                                              22\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                    Appendix D\n\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2005\n\n\n\n\n                                              23\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                       Statement Audit\n\x0c                                                                                                        Appendix D\n\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2005\n\n\n\n\n                                                                                        Completion               Comme\nNFR#               Condition                   Recommendation\n                                                                                        Status                   nts\n                                              Coordinate with each filed office\n                                              that has a segregation of duties\n                                              conflict to either (1) correct the\n                                              problem by removing the\n                                              conflicting roles, or (2) sign a\nCBP-IT-   A number of ------ Ids had a                                                      Completed\n                                              waiver to accept responsibility for\n05-01     segregation of duties conflict.                                                   7/25/05\n                                              issues arising from the\n                                              segregation of duties conflict.\n                                              Continue to prevent new IDs with\n                                              a segregation of duties conflict\n                                              from being created.\n                                              Remove unnecessary privileges\n                                              and/or accounts given the\n                                              exceptions we noted related to\n                                              the authorities/functions granted\n                                              to certain-- -----------------\n          Three -------- ----- -----          Accesses granted should be\n          - - -- -- --- - -- - -------------  based on the least privilege\n          --------- ------ - ---------------- concept to the minimum number\n          ----------- - - - -- - -----------  of personnel with a defined and\n          ---------) to specify security      documented need.\n          modes for individual users\n          without a justified business        As an alternate means of\n          need.                               providing availability to functions\n                                              not used on a regular basis,\nCBP-IT-                                                                                     Completed\n          Two --------- -- ------------- ---- continue implementation of a\n05-02                                                                                       8/1/05\n          with ------------------- had full   - ------------ ------ ---- --- --- -- ---- --\n          security administration             --------) for use by authorized\n          privileges, which violated          individuals during pre-\n          separation of duties                determined circumstances.\n          principles.                         Establishment of a -----------\n                                              ------- would enable the removal\n          One SCA account had not             of privileges from individuals who\n          been utilized since August 6, do not regularly require such\n          2004.                               access. --- - ---------- --- are\n                                              controlled through the use of a\n                                              hardcopy log, secure storage of\n                                              passwords, auditing of all ---------\n                                              --------activities, and suspension\n                                              after each use.\n\n\n\n\n                                                       24\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                     Appendix D\n\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2005\n\n          After the reorganization of the\n          Office of Information\n          Technology (OIT), security\n          administration functions at the\n                                             Ensure that security\n          ------- including mainframe\n                                             administration functions remain\n          security, network securities,\n                                             independent of operations. In\nCBP-IT-   and incident response, were                                        CBP did not\n                                             order to maintain independence,\n05-03     not independent of the                                             concur\n                                             the security administration\n          operations functions. Rather,\n                                             function should not report to\n          the Security Operations\n                                             operations management.\n          Center reported to\n          Technology Operations,\n          which was not an\n          independent security function.\n                                                Develop a process to mitigate\n                                                the systemic -------weakness that\n          Due to the design of -------          certain controls can be\n          certain controls could be             overridden without supervisory\n          overridden without                    approval. Considering the\n          supervisory approval.                 number of years necessary to\n          Management plans to                   fully replace -------functionality\n          implement functionality in the with ------- this process should be          Target\nCBP-IT-\n          -------------------------------       designed in a manner to ensure        completion\n05-04\n          -------------- - --------- to prevent supervisory review of ------          date 7/31/08\n          the override capability. KPMG overrides while maintaining a\n          noted that although ------ will minimal burden on management.\n          eventually replace-------------- CBP should ensure that the new\n          would not be implemented in ------ system has the appropriate\n          FY 2005.                              requirements for such controls\n                                                and that these controls are\n                                                applied prior to implementation.\n                                                Formally establish a process for\n                                                granting ------ access to sensitive\n                                                technical team roles (e.g. basis\n                                                and security team members) and\n                                                consistently apply these\n          Formal procedures for\n                                                processes. The procedures\n          granting access to sensitive\nCBP-IT-                                         should include requirements for       Completed\n          ------ technical team member\n05-05                                           documenting the authorization         12/1/05\n          roles have not been\n                                                request and include the exact\n          developed.\n                                                roles that should be granted.\n                                                Additionally, the procedures\n                                                should require a periodic\n                                                documented recertification of the\n                                                user roles within ------\n\n\n\n\n                                                     25\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                            Appendix D\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2005\n\n          The --------- contingency plan\n          has not been updated with\n          the results of the FY 2004\n          continuity of operations plan\n          (COOP) tests. Additionally,\n          the COP has not undergone\n                                           Update the --------- COOP with\n          the annual re-evaluation as\n                                           the most recent test results.\n          required. Also,\n                                           Additionally, re-evaluate the\n          implementation of the new\nCBP-IT-                                    COOP for overall contingency      Completed\n          financial management system\n05-06                                      planning procedures on an         12/29/05\n          changed the mainframe\n                                           annual basis, especially in the\n          environment to a client-server\n                                           event of a major system change\n          based ------ environment.\n                                           or upgrade, such as-------\n          However, the plan has not\n          been updated and, therefore,\n          might contain outdated and\n          improper contingency\n          procedures for information\n          systems and data.\n                                           Consistently apply the\n          The requirement for initial      requirements for initial security\n          security awareness training      awareness training for all        Target\nCBP-IT-\n          for employees and                employees and contractors upon completion\n05-08\n          contractors was not              initially establishing            date 8/31/06\n          consistently applied.            LAN/mainframe accounts to\n                                           information systems.\n\n\n\n\n                                                  26\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                              Appendix D\n\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2005\n\n                                               Coordinate with DHS in\n                                               developing enterprise-wide\n                                               solutions for improving network                                  Two years ago\n                                               and host-based system                                            CBP began an\n                                               configuration design(s) to reduce                                effort to upgrade\n                                               the risks of compromise.                                         our Novell Netware\n                                                                                                                infrastructure from\n                                               Consider use of system                                           version 5.0 to\n                                               administrator-level security                                     version 6.5 in order\n                                               management monitoring tools to                                   to address the\n                                               detect and correct security                                      password\n                                               deficiencies in preventing                                       recommendation\n                                               possible intrusions. Use of such                                 and gain other\n                                               tools should include a planned                                   improvements.\n                                               "prioritized" schedule for                                       More recently,\n                                               checking all servers.                                            CBP has initiated a\n                                                                                                                project to convert\n                                               Proceed with the implementation                                  to -------- -------------\n                                               of ---------------- ------------ --------                        -----------------\n                                               ------ - ------- ------ ---------- ----------                    --- ------- -- - -- - in\n                                               --------------- ---                                              order to support\n                                                                                                                DHS enterprise\n                                               Provide and approve more                                         standards for\n          Improvements were still              robust standards for -------- ----                               network operating\n          needed in security controls          ---------------- -------------- -- for a                         systems and\n                                                                                               Target\nCBP-IT-   affecting --- - ------ -----------   standard and sustainable                                         desktop\n                                                                                               completion\n05-09     ------ management and staff\'s        baseline set of system                                           applications. This\n                                                                                               date 3/31/07\n          system access to applications        management security controls.                                    project will allow\n          and data.                                                                                             CBP to enforce\n                                               Consider development of a                                        strong passwords\n                                               compliance-level policy that                                     incrementally as\n                                               provides for adherence to                                        ------ --------- - --\n                                               agency password management                                       ----- - - ---- ----\n                                               policies. This policy should be                                  ----- ------ is\n                                               developed at ---------------                                     deployed to\n                                               ------------------- where local                                  individual sites.\n                                               system administrators and help                                   Discontinuing the\n                                               desk staff may apply such                                        Novell upgrade\n                                               policies (e.g. changing password                                 and putting our\n                                               age, account lockout, password                                   efforts into the\n                                               uniqueness, password length,                                     ------ ---------------\n                                               etc.).                                                           ------- Active\n                                                                                                                Directory\n                                               For --------------------- -------- ----                          deployment will\n                                               ----------------- ---, review, justify,                          allow CBP to\n                                               and ensure that the level of                                     comply with both\n                                               access is based on strict                                        the password\n                                               adherence to least privilege                                     recommendation\n                                               principles where the absolute                                    and DHS\n                                               minimum level necessary is                                       standards sooner.\n                                               applied. As CBP moves with\n                                               DHS toward more\n                                                         27\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                              Appendix D\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2005\n\n                                          technologically efficient\n                                          enterprise-wide solutions (e.g.\n                                          centralized means of managing\n                                          network assets), the ability to\n                                          reduce current levels will be\n                                          enhanced.\n\n\n\n\n                                          Continue to review the audit logs\n                                          daily and maintain documented\n                                          evidence.\n          ------ security audit log\nCBP-IT-                                                                         Completed\n          reviews were not evidenced\n05-10                                     Complete efforts to identify all      5/31/05\n          for the majority of FY 2005.\n                                          connections with the ------ and\n                                          formally establish ISAs with\n                                          these entities.\n          ------ administrator staff has  Complete efforts to identify ----\n          not documented ISAs for all     ------- ---------- ---- connections\n          entities that connect with the  that are considered "legacy"\n                                                                                Target\nCBP-IT-   ------- Although there was a    connections and formally\n                                                                                completion\n05-11     ---- - -----------------------  establish ISAs with these\n                                                                                date 6/1/06\n          ------ ----------- ----- of all entities.\n          partners that have an ISA\n          with CBP, this database failed Complete efforts to identify all\n                                                  28\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                        Appendix D\n\n                                    Department of Homeland Security\n                                Information Technology Management Letter\n                                           September 30, 2005\n\n          to capture all connections              connections with the -------and\n          with ------- The majority of            formally establish ISAs with\n          financial institutions                  these entities.\n          connected to -------have not\n          formally established ISAs.\n\n\n\n          The "equipment" and "priority           Formally update the alternate\n          of service" requirements have           processing site agreement to\n          not been annually updated.              accurately reflect the current    Target\nCBP-IT-\n          As a result, the agreement              hardware and support that will be completion\n05-12\n          was outdated and did not                required of the alternate         date 3/31/06\n          reflect the current operating           processing site vendor in the\n          environment at -------                  event of an emergency.\n          Nor formal process exists to\n          confirm or enforce\n          compliance with the ------\n          ----------------- -------------------\n                                                  Formalize the process to confirm\n          ------------ . Although field site\n                                                  or enforce compliance with the\n          administrators were trained to\nCBP-IT-                                           --------- -------------------- - - --- at Completed\n          perform the recertifications\n05-13                                             the field sites and formally              9/12/05\n          every six months, there was\n                                                  document the verification of the\n          no management oversight to\n                                                  field site ------------ ---------- ---.\n          ensure that the field site\n          administrators were\n          performing the\n          recertifications.\n                                                  Perform a formal review of all\n                                                  personnel who have access to\n                                                  the ------------- ---------- - to\n                                                  determine those who do not\n                                                  have a formal user access form\n          Procedures have not been                in place. Establish a formally\n          adequately implemented for              authorized user access form for\n          restricting access to the data          each person identified.\n          center located in ---------.                                              Target\nCBP-IT-\n          Specifically, nineteen out of           Confirm that current personnel    completion\n05-14\n          thirty-two individuals selected         with data center access actually date 3/31/07\n          did not have proper                     need this access to perform their\n          authorizations documented               job functions.\n          for access to the data center.\n                                                  Promptly remove physical\n                                                  access rights to the ------ facility\n                                                  when an employee is terminated,\n                                                  thus restricting access to the\n                                                  data center.\n\n\n\n\n                                                          29\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                      Appendix D\n\n                                      Department of Homeland Security\n                                  Information Technology Management Letter\n                                             September 30, 2005\n\n                                                     Develop a formally documented\n                                                     process for granting normal and\n                                                     emergency access for\n          --------------------- had access           -------------- to the ------\nCBP-IT-                                                                                 Completed\n          to the production                          production environment. The\n05-15                                                                                   8/1/05\n          environment.                               access request and authorization\n                                                     should include specific\n                                                     justification for their access and\n                                                     be documented and retained.\n          Improvements were still\n          needed in CBP\'s Incident\n          Handling and Response\n          Capability. Specifically, issues\n          still exist related to incident\n          prevention, response,\n          recovery, and reporting.\n\n          -------------------------- -------- ----\n          ------------ - ---------- - ----------\n          --------------------------------- ----\n          --------------- - -------\n                                                     Develop a process to identify the\n          ---------------------------------------\n                                                     workstations that have yet to\n          -------------------------- - - ---- --\n                                                     install the ----------------\n          ------------------ --------- --------\n          ----------------------------------\n                                           Continue to test and implement a\n          -----------------\n                                           standard real-time automated\n                                           reporting process whereby\n          A formal automated reporting                                                   Target\n                                           information can be generated on\nCBP-IT-   capability does not exist to                                                   completion\n                                           all incidents, response, and\n05-16     report, in a timely manner, on                                                 date to be\n                                           recovery activities on a regular\n          the servers and workstations                                                   determined\n                                           basis for servers and\n          with identified vulnerabilities,\n                                           workstations.\n          the number that have been\n          patched, and the number of\n                                           Develop a consistent process to\n          servers that remain\n                                           respond to system flaw\n          vulnerable.\n                                           notifications and track reported\n                                           security incidents.\n          There is a process in place\n          for tracking incidents.\n          However, the weekly incident\n          report process is not\n          consistent and/or complete.\n          Incidents were not included\n          on requested weekly reports\n          and incident documentation\n          was missing. Sample\n          information or evidence was\n          not available for system flaw\n          notifications.\n\n\n\n                                                            30\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                 Appendix D\n\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n                                         Perform a formal analysis of the\n                                         company code setting to\n                                         determine if it should be set to\n          ------ was not configured to   "productive." This will prevent\nCBP-IT-                                                                           Completed\n          indicate a company code        users with "mass\n05-17                                                                             10/31/05\n          setting of "productive."       deletion/change" access the\n                                         ability to accidentally or\n                                         purposely delete transactional\n                                         data.\n                                         Ensure that the assignment of\n                                         sensitive functions and high-risk\n                                         combinations of functions to non-\n          An excessive number of         supervisory users is based on a\n                                                                                  Target\nCBP-IT-   users had access to sensitive documented business need and\n                                                                                  completion\n05-18     ------ functions and high-risk approved by a supervisory\n                                                                                  date 3/31/06\n          combinations of functions.     official. Exceptions from the\n                                         guidance provided in the\n                                         memorandum should be formally\n                                         approved and documented.\n                                         Determine whether the potential\n                                         matches are actual matches.\n                                         Delete the accounts of any\n                                         confirmed terminated\n                                         employees.\n          A number of separated\nCBP-IT-   employees\' names appeared Continue to use the payroll feed              Completed\n05-19     on the ------ active user      to determine if a ------ user has        1/24/06\n          access listing.                terminated employment.\n\n                                            Disable user accounts of\n                                            separated employees and\n                                            contractors as stated in CBP and\n                                            NIST guidance.\n          No process existed to\n          formally document test plans,\n          test cases, and test results for Formally document test plans,\n          ------ security and              test cases, and test results for all\n          configuration changes.           ------ changes.\nCBP-IT-                                                                           Completed\n05-20                                                                             1/24/06\n          The ------ Change Control      Formally document business and\n          Board was not performing       customer impact analyses for\n          formal business and------ omer ------ change requests.\n          impact analyses for ------\n          change requests.\n          Logging of critical tables with\n                                            Perform a formally documented\n          ------ has not been activated.\n                                            assessment of the tables that\nCBP-IT-                                     should be logged by ------.           Completed\n          A formal analysis of the tables\n05-21                                                                             1/25/06\n          that should be logged in the\n                                          Complete the implementation of\n          ------ environment has not\n                                          table logging within ------\n          been performed, solely\n                                                   31\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                          Appendix D\n\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2005\n\n          relying on recommendations\n          of a previous audit.\n\n\n\n\n          A certification and\n          accreditation package for all\n          components of the------- LAN\n          has not been completed.\n                                             Complete a security control\n          Specifically, a security control\n                                             assessment for all ------ LAN  Target\nCBP-IT-   assessment was not\n                                             components and complete a risk completion\n05-22     conducted for the ------ LAN\n                                             assessment for all ------ LAN  date 7/1/06\n          as a whole within the last\n                                             components.\n          year. Also, a formal risk\n          assessment was not\n          conducted for all------- LAN\n          components.\n                                         Using federal guidelines outlining\n                                         what constitutes a major\n                                         application, consider reviewing\n                                         the sensitivity of applications\n                                         classified as part of the ------\n                                         administrative systems\n                                         separately to determine which\n                                         applications warrant individual\n          NIST 800-26 assessments for C&As as major applications, and\n          the seven business areas       which applications should remain\n          with the seven Administrative as part of the current\n          Applications have not been     Administrative C&A process.\n          completed. No efforts have     Based on results of the\n          been made to evaluate the      sensitivity review, perform\n          need for a separate C&A for separate C&As, where\nCBP-IT-   the applications remaining in appropriate.                         Completed\n05-23     the seven business process                                         8/15/05\n          areas defined in the           In accepting risks associated\n          Administrative Applications    with ------- consider establishing\n          C&A. Also, additional          a relationship of identifying risks\n          improvements in consolidated to defined security requirements\n          guidance were necessary to in ------- This will assist in\n          address the issue of linking   understanding what risks are\n          risks/threats to requirements. mitigated by existing controls\n                                         and what residual risks remain\n                                         that management is willing to\n                                         accept.\n\n                                             Given that the ------ deployment\n                                             may not be completed by the\n                                             end of the current ------\n                                             certification period, incorporate a\n                                                    32\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                 Appendix D\n\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2005\n\n                                           risk-based approach for any\n                                           recertification efforts performed,\n                                           where threats identified are tied\n                                           to security requirements and\n                                           mitigating controls.\n\n                                           Consider development of\n                                           definitive guidance for risk\n                                           assessments and security plan\n                                           criteria. These criteria should be\n                                           applied to tie identified risks and\n                                           threats to security requirements\n                                           and controls that mitigate risks to\n                                           acceptable levels. This will allow\n                                           for the adequate tracking and\n                                           evaluation of risks and\n                                           requirements throughout a\n                                           systems lifecycle. Therefore,\n                                           management should be able to\n                                           definitely recognize what\n                                           acceptable risks remain.\n\n\n\n\n          A centralized listing of         Develop a formal centralized\n          separated contract personnel     process for tracking the\n          was not maintained. The only     termination of contract\n          method employed to track         personnel.\n          terminated contractors was\n          the use of a report of users     Deactivate all system access for\n          that had their mainframe         terminated contractors\n                                                                                  Target\nCBP-IT-   account deleted. This list was   immediately upon separation.\n                                                                                  completion\n05-24     not representative of all\n                                                                                  date 3/31/07\n          terminated contractors since     Periodically distribute a listing of\n          terminated contract personnel    terminated contract personnel to\n          might not have had               information system\n          mainframe access or their        administrators so they remove\n          access might not have been       user access and periodically\n          removed after their              assess contractor access to\n          termination.                     systems.\n\n\n\n\n                                                   33\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                                  Appendix D\n\n                                     Department of Homeland Security\n                                 Information Technology Management Letter\n                                            September 30, 2005\n\n                                                   Modify the setting on ---------------\n                                                   ---------------------------------- ---\n          The mainframe disconnected\n                                                   ------ ---------------- to disconnect\n          idle sessions after 30 minutes\n                                                   idle sessions as specified by\n          of inactivity rather that the\n                                                   agency policy or ensure the\n          prescribed 20 minutes of\nCBP-IT-                                            policy is accurate. (Note: -------- Completed\n          inactivity noted in the U.S.\n05-25                                              ---------------- -------------------------- 9/29/05\n          Customs and Border\n                                                   ----------------- ----- ---- ------- --\n          Protection Information\n                                                   ------ --- ----- - - ----- --------------------\n          Systems Security Policies\n                                                   ----------------- ------- ----- ----------\n          and Procedures Handbook.\n                                                   --------------- -- ----------- ----- - -------\n                                                   ------------------ -------------- ----------\n          ------ did not have an\n          automated mechanism to\n                                                   Continue to review and\n          detect and deactivate users\n                                                   deactivate inactive accounts on a\n          that had not logged on for 90\n                                                   monthly basis.                                  Target\nCBP-IT-   days. Procedures to perform\n                                                                                                   completion\n05-26     a monthly review for inactive\n                                                   Implement an automated                          date 5/31/06\n          accounts in July 2005 were\n                                                   mechanism to detect and\n          implemented. However, for\n                                                   deactivate inactive accounts.\n          the majority of FY 2005, this\n          procedure was not in place.\n          The formal process to grant\n          VPN access using an\n          authorization form was\n          recently implemented.                    Continue to use the official\n                                                                                                   Target\n          However, VPN access                      authorization form for new VPN\nCBP-IT-                                                                                            completion\n          authorization forms were not users. Recertify all VPN\n05-27                                                                                              date to be\n          available for the majority of            employee accounts on a periodic\n                                                                                                   determined\n          employees selected. Also,                basis and document results.\n          VPN employee accounts\n          were not periodically\n          recertified.\n          Action has not yet been taken\n          to address the prior-year                Recertify users with access -\nCBP-IT-   issue that users with access ----------------- ------ and document Completed\n05-28     to ------------------------- ----------- the evidence of the                             11/1/05\n          ------------------- may be               recertification.\n          excessive.\n          In FY 2004, issues with\n          access to ------------------- ---\n          ------------- - were reported.           Document that access to the\n          Some profiles with access to ---------------------------------- --- (or\n          modify the ------------------- ---- equivalent) is properly\nCBP-IT-   ------------- - represented a            segregated. This includes a                     Completed\n05-29     segregation of duties conflict. review of ---- -------- ------- -- ------- 8/30/05\n                                                   access to determine if the\n          In FY 2005, ------- was                  current granted access is\n          replaced by ------ KPMG                  appropriate.\n          attempted to determine\n          whether the same issue\n\n                                                           34\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                                                                                                   Appendix D\n\n                                      Department of Homeland Security\n                                  Information Technology Management Letter\n                                             September 30, 2005\n\n          existed in ------ Information\n          regarding whether-------\n          ----------- ----- ---------- --- (or\n          equivalent) were\n          appropriately segregated\n          could not be provided.\n\n\n\n\n          Action has not been taken to\n          address the prior-year finding         Recertify users with access to\nCBP-IT-   that that number of users with         ----------------------- Recovery, and Completed\n05-30     access to --- ------------------ ,     Backup datasets. Document the 8/11/05\n          Recovery, and Backup                   evidence of the recertification.\n          datasets may be excessive.\n          As part of the Common Local\n          Area Network (LAN)\n          Operating Environment\n          (CLOE) type accreditation to\n          perform formal risk\n          assessment, ----- LANs\n          dispersed across many field\n          sites were not to be visited.\n          As a result, management\n          asserted that they were                Continue to develop a formal\n          requiring each field site on the       process to ensure that all non-\nCBP-IT-                                                                             Completed\n          "non-recommended" listing to           recommended field sites submit\n05-31                                                                               9/9/05\n          submit a formal NIST 800-26            a NIST 800-26 LAN self-\n          assessment for their LAN.              assessment in a timely manner.\n          Based on this, a sample of 15\n          field sites was selected from\n          the non-recommended field\n          site listing and we requested\n          evidence of the NIST 800-26\n          review of their LAN. In a\n          sample of 15 field sites, three\n          site assessments were not\n          provided.\n\n\n\n\n                                                        35\n Information Technology Management Letter for the FY 2005 Customs and Border Protection Financial\n                                        Statement Audit\n\x0c                  Report Distribution\n\n                  Department of Homeland Security\n\n                  Secretary\n                  Deputy Secretary\n                  General Counsel\n                  Chief of Staff\n                  Executive Secretariat\n                  Under Secretary, Management\n                  Commissioner, CBP\n                  DHS Chief Information Officer\n                  DHS Chief Financial Officer\n                  Chief Information Officer, CBP\n                  Assistant Secretary, DHS Public Affairs\n                  Assistant Secretary, DHS Policy\n                  DHS Audit Liaison\n                  Chief Information Officer Audit Liaison\n                  CBP Audit Liaison\n\n                  Office of Management and Budget\n\n                  Chief, Homeland Security Branch\n                  DHS OIG Budget Examiner\n\n                  Congress\n\n                  Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2005 Customs and Border Protection\n                             Financial Statement Audit\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c'